Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificates can be created with same serial as imported certificates [Solved]

    Scheduled Pinned Locked Moved
    General pfSense Questions
    3
    4
    479
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      ViktorLindstrm
      last edited by ViktorLindstrm

      Hi! I ran in to the following issue today.
      When new certificates are created, it is not verified if the serial number already exists.

      If a set of certificates are imported with higher serial number than the counter for the certificate manager has for stamping serial numbers, the numbers will ultimately collide and certificates will be created with the same serial number. And there is no way of manually setting the serial number from what i understand.

      So the way to go about fixing this was to create a set of "dummy" certificates. Which was fine for me in this instance since it was a small amount of imported certificates I needed to be taken account for.

      I thought of this as a heads up for all you you that has a couple of certificates imported.
      Has anyone else experienced this?
      In my opinion the serial number should be verified by the certificate manager to be unique (within that specific CA of course) before the certificate is stamped with it. or at least give me a warning.

      Issue found in: 2.4.4-RELEASE-p2

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        https://forum.netgate.com/topic/69978/generated-certificates-with-non-unique-serial-numbers/2

        When you import a CA, there is no way in the CA to determine how many certificates it has generated. It's up to the user to inform the system what the next serial number should be.

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 1
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I would not report any issues on anything but the current version, which is 2.4.4-p3.

          That said, it is incumbent upon the administrator to issue certificates with the correct and expected serial numbers. The field is right there to manipulate in the CA properties.

          b8d59209-4cf5-48e7-89c4-ff8d2e91cc4d-image.png

          This sort of falls into the "can only prevent so much foot-shooting" category. With that CA serial number setting, the certificate generator is only doing as it has been told.

          If a feature request does not exist for this at https://redmine.pfsense.org/ one can be created.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 1
          • V
            ViktorLindstrm
            last edited by

            That's nice! Thanks for the reply, that solves much of the issue.
            I simply did not find the Serial for next certificate since I had my mind wrapped around looking in the settings for the certificate creation, not editing the CA. My bad!
            how much help you give the user is always something that can be discussed, but sure I can agree with this as long as the serial can be changed.

            Thanks for the quick reply!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post